Sophos Cloud Optix
It’s child’s play to create a Google account, and use the Google Docs facility to host an online form. Maybe you’d want to use it to poll customers’ opinions, for instance.
But if you’re a scammer – you can equally use Google Docs to phish for passwords and sensitive information.
Here are a few email campaigns I saw spammed out today, attempting to trick users into handing over their confidential data.
In the first example, the email asks the recipient to confirm their email account details or risk having it shut down.
The message reads:
Confirm your e-mail account please enter your Mailbox Details by clicking the link below:
[LINK]
Failure to provide details correctly will result to immediate closure of your mailbox account from our database.
As you can see, the link points to a page on Google Docs (docs.google.com). That gives the link a false aura of legitimacy. But what the link can’t do is tell you whether the Google account holder is legitimate or up to no good.
In this case, as you’ll see if you click on the link, it’s clearly an attempt to phish information from internet users.
As the screenshot below shows, the page falsely claims that your email account will be shut down in three days and the only way it claims you can resolve the situation is by entering your username and password.
Before you know it, your email account will be compromised. And if that username/password combination is being used elsewhere on the web or if – as is the case with Google – your details unlock a variety of services, then the security breach is compounded.
Here is another example of phishing via Google Docs that I encountered today. Again, it arrives in the form of a spam email.
The email reads as follows:
Subject: MAIL QUOTA 89.99%(VALIDATE)
Helpdesk requires you to validate your webmail.
Due to our upgrade, Protecting your webmail account is our primary concern, revalidate your e-mail by clicking [LINK] help desk.
If you do make the mistake of clicking on the link then you are taken once again to a page hosted on Google Docs (don’t be fooled by the different colour scheme).
Don’t forget, at the bottom of each Google Docs form there is a link where you can report abuse, such as phishing or offensive content.
Clicking the link should take you to a screen like this, where you can anonymously explain what your issue is with the page.
Sophos has reported the phishing webpages to the abuse team at Google Docs.
I would never fall for that. I can see how some people would though.
This was bound to happen when offering a service like this, they shoould put a BIG red disclaimer at the top stating that they will never contact people for there password/e.t.c using this kind of form.
If people dont like the disclaimer on there form then go some where else simple !
Cheers for sharing Sophos
Good read yet again !
Reporting abuse doesn’t seem to help though – we reported some sites weeks ago that are still phishing.
Great article Sophos! Unfortunately, there will always be malicious users of Forms but I think the benefits and functionality far outweigh this. The best way to counteract this is through education. Fortunately, these types of emails do get caught by the spam filter often.
David, just to note that reporting abuse will not automatically remove a form. Your best case is to have unique visitors to the form to report the abuse. Also, as always, you can post on the Google Docs Help Forum (http://productforums.google.com/forum/#!categories/docs/report-an-issue) where myself, fellow Docs TCs, or Googlers will be able to help with expediting a particularly phishy form.
Cheers!
Very sophisticated form of social engineering. The cyber criminals are getting smarter every day. That’s one reason I’m not using my gmail account anymore.
Great sharing! Thanks a lot for giving out crucial info. Hackers always try various type of scam thing to get users personal info and we need to be aware from such attacks. Thanks 🙂
Thank you for all info here everyone. It does help those who bother to read such things.
Just got one of those spam mails referring to Google Doc, having managed trough all our watchdogs. Basically, as I see it you MUST go to the page (click ON the fraudulous link) to report any abuse, that is you have to try to get infected (if its more than a questionnaire).
This reminds me about the company abusing my credit card last (and first) time it arrived, when I phoned them up to complain the answer was "pls give me your credit card number so we can correct whatever is wrong", OK to give my name but NOT ALSO the number !
So, as I get it Google has so many complains that they hide away how to report abuses. And you can always try to find your way with their "help": you run around in loops, so I assume 90% of people end up NOT reporting anything and Google gets the feeling they are doing well 😉
Have to agree with frustrated, Google makes it almost impossible to report anything, you need to click on the link to report it and THEN the report link uses the bad link as it's base, so for all you know you are reporting to the phisher using the same form ?
Example, phish link active as I write this
https://docs.google.com/forms/d/1Wek1gk51Zn60XdHw…
report abuse link
https://docs.google.com/forms/d/1Wek1gk51Zn60XdHw…
that does not exactly inspire confidence.